Conversation
|
Each LTS release will be supported for N years, but how frequently will LTS releases be made? How will non-LTS releases work? Continuing (or returning to) a release every six months, and support only the current and previous release? Ending support when the OS does is fair, as long as you keep timely releases, and don't have a bunch of fixes saved up only to miss the window. How will backport candidates be identified, and will the core team commit to doing them all within a certain time period? I consider Ubuntu to have the best (for the consumer) LTS support at the moment. That's an LTS release every two years, and each one has free support for five years. Non-LTS releases every six months. The security support lasts longer than the bugfix support. OpenJDK is similar. That's a big commitment, so you don't have to go that far. |
|
I agree with you on the Ubuntu model being a great one, but I don't think it's realistic. Something more realistic might be LTS every 2 years with 3 years of support. That being said, I'm not sure that's even attainable at this point as it seems the Salt core team may be struggling even under the current model. Would have to wait for someone from Salt core team to weigh in. |
|
Just a feedback from a random guy. While having LTS releases would be great, but I think following things should be solved before LTS is introduced, as these things will diminish the work put in maintaining it. Some issues I noticed:
At that point you can designate certain branches as LTE. If you do LTE without the other stuff you will constantly be introducing regressions. And it will be a lot of effort and still not much benefit to it. Another thing, and I mentioned this in another ticket. I believe is salt should migrate from setup.py + bunch of of custom code + many different requirements.txt to something that is declarative and doesn't allow custom code. I personally like poetry, but others likely will work of to (even using setuptools with specifying all dependencies in setup.cfg should be better). The way things work appear to cause a lot of burden to anyone make changes. As there are many places that need to be updated. The custom setup.py also appears to have custom parser of requirements.txt (which BTW seems to have a bug and appears to think that python 3.10 is older than 3.9. Essentially telling me that there's no pyzmq version that can be used). I believe that if there was a single file specifying all supported version ranges, and an environment markers should satisfy platform/python specific dependencies. |
|
Ubuntu probably does have the gold standard for LTS releases -- but they also are a much much larger endeavor than Salt 🙂 One thing that we've seen with a not-insignifcant-number of Salt users is that they're still on significantly outdated versions of Salt. I honestly don't think that an LTS will change that -- that's an organizational problem. An LTS might help them out - and having an overlap of N months may actually provide them with enough of a window to be able to upgrade.
FWIW, we actually have to do that, since distutils is deprecated and will be removed in Python 3.12, which is rapidly approaching. We are already tracking that. In fact, I jumped straight to a setup.cfg based approach and at least the minimal testing I did seemed to work just fine. But I realize that I'm just one data point and there are many, many more salt users out there. Thanks everyone so far for your feedback! This gives us a lot of things to consider already. If anyone has any points about LTS models that haven't been brought up yet, do please drop them here! |
Probably because of the large number of regressions every release. For example, there is still no 3004.2, and there were some very major regressions in 3004.1. Everyone that uses syndic or TCP had to either stay on a vulnerable release, or patch it themselves. If there was an LTS branch, it might actually get bugfix releases. |
To be fair bugfix policy was never clarified for the current release process and it's not yet clarified for a new one. It's unclear what Salt considers bugfix-worth and what is not. |
|
It's also unclear how the new process handles the the original "backporting hell" issue that leaded to the current release process |
|
The proposal reads like they assume an LTS system would be less work for the core team, when actually it should be more or it won't work. |
|
@OrangeDog If you take the example of the recent CVE Release for 3002.8, 3003.4 and 3004.1 verses the LTS branch, then that is a reduction where only one branch has to be stabilized with tests green etc. Getting 3002.8 into a stable state for tagging was difficult due to its age. Definitely a reduction in work effort. |
At least two - the master branch and the LTS branch. That's assuming you also aren't supporting the latest non-LTS release. Four branches if it's during an upgrade period - master, latest release, latest-LTS, previous-LTS. |
|
In this SEP I'd expect to see a retrospective of the previous release process overhaul: https://github.com/saltstack/salt-enhancement-proposals/blob/master/accepted/0014-dev-overhaul.md
A biggest downside of the discussed SEP is that it lacks explicit description of user needs and how they will be met. By users I mean not only regular users, but also companies who drive major features (VMware itself, SUSE, etc). So far it looks like it is only focused on how to reduce the efforts to maintain Salt (which is a totally valid point of view), but it is not clear how the proposed changes will affect users. And I truly believe that user needs should be the primary focus, otherwise there would be no community and no point in maintaining open source software for it (and the efforts will be ultimately reduced to zero). Below I'll try to summarize my experience with Salt releases over the years: Pre Neon 3000
Post Neon 3000
What I'd like to see:
From a more high level perspective that means:
|
|
Further to a retrospective, see also the discussion on the previous process change: #20 |
How much overlap do you feel is reasonable?
Non-LTS releases would be feature/bugfix combined release and ideally would happen regularly (Like monthly). There are multiple factor effecting the core teams' ability to release more frequently. One of the most significant of these obstacles is our current packaging / testing of packages process. This process can take anywhere from several days to almost a month depending on what kind of release we're doing. CVE releases take longer right now due to the number over versions being released. We currently have a project slated for 3006 that aims to resolve our packaging problems. The goal of this project is to completely automated our package builds and tests.
Agreed, release velocity and frequency needs to be sped if we have any chance of making this work.
I think it'll be up to the developer fixing a bug to know where it needs to be fixed and open the appropriate PRs on any branches where it's needed. This, IMO, is needed to prevent merge forward hell. I don't think anything should be 'backported' from master to LTS. The only thing going in LTS is bug-fixes and if a bug exists in both LTS and master, you'd be obligated to open a PR that resolves (and tests for the resolution) in both branches.
I think we'll be aiming for something a little more frequent. |
We are struggling and there are multiple factors involved in why. As I mentioned in my last reply, One reason we're struggling is the amount of time it's taking to package Salt. Another reason we've been struggling is because we have not been consistently running and monitoring tests on older branches. We need to fix both of those problems regardless of our release / support timeline. Part of the motivation for this SEP is to limit the number of versions we're supporting at any given time. Which would intern limit the number of test suites we're running and having to monitor. When we made the change to the 3000.x release model we intended to increase velocity and we were able to slightly improve there, but that model breaks when we start looking at CVE releases. The primary realization that we've come to is that we absolutely need to keep tests running and monitored on older versions. Another, is we absolutely need to automate package builds and testing. |
All feedback is welcome, thanks.
I think this type of thing is the exception, not the rule. All of the engineers on the core team know it's important to try and fully understand the issue before making changes. Issues with dependencies can be tricky, especially with the amount of OSes and OS versions we support. It should also be noted this is why we run the tests on so many OSes and platforms. Looks like this particular issue happened before we had FreeBSD in the pipelines.
This was an issue, yes, and is a case where we realized the errors of our ways. We've since put all of the syntax upgrades into a single PR.
This is something that has happened as of the last few release and is a process thing. To be clear, we do have a release checklist but it likely needs to be updated.
Some of this is being worked on right now as a part of the distutils deprecation work.
The complexity here stems from us supporting system package versions for our dependencies. It vastly complicates things. We are aware of the issue and are working on initiatives to help resolve this. |
|
Re: the setup.py issue, I have that effort slated for Sulphur/3006. I basically am planning to (re)start tackling that as soon as Phosphorus is released. If you want to follow along with those efforts you can track them here: saltstack/salt#60476 - my initial experiments (that are in no way comprehensive) are promising 👍 |
Master and Latest Release are one branch here. Latest LTS and previous LTS are two.. By my count that is 3 branches. With our currently states relase/support cycle, We end up with 5 supported branches at times. |
So you're going to stop supporting the latest non-LTS release with security fixes? |
No, but all non-lts release would be able to have both features and bugfixes. So, if we do a security release, the fixes would go into master and and we'd cut a release with anything else on the head of master. The logic here is that if you are following the master release you expect to have features rolled out with bugfixes, otherwise you can use LTS. |
| - reasoning being if the OS is not providing FREE security fixes, we should not | ||
| either. PAID support for security fixes is another matter and between | ||
| customer and VMware, not the Salt Project. | ||
| - non-LTS branch - does it get security fixes or do they come in the next |
There was a problem hiding this comment.
what specifically is meant by non-lts branch here? are we suggesting that builds of the "main" branch might not get a re-release at the same time as the "LTS" branch if a cve came out?
What about users who want to be on "latest"
There was a problem hiding this comment.
I have added a diagram to hopefully show what we'll be doing better. Security releases are a priority. When we encounter a CVE all supported releases get a patch for the CVE at the same time, when we make the CVE public.
|
Congratulations on your first PR being merged! 🎉 |
12 participants
No description provided.